A New Direction on Rules & Policies

This Rules/Policy document is provided to you and your organization as a starting point or maturity checkpoint for existing rules/policies. It is brought to you on behalf of Jim McConnell, Principal Owner, and Ask McConnell, LLC — A Converged Security Services Provider. The content is not meant to cover every circumstance, industry, law, regulation, contractual requirement, threat, environment, or risk, but it provides an easy, defendable, highly accountable starting point for any organization. Please consult with your legal counsel and insurance provider about added requirements. If you know of peers that you think would find value in these resources, please have them contact us. These will be updated on our website regularly. We are not legally protecting these documents; we just ask for credit, shout-outs, and referrals if you find them helpful. If you have recommended updates, we are all ears. And if you need Converged Security Consulting and Training, please reach out, we would be honored to serve you and your organization.

Jim McConnell  |  info@askmcconnell.com  |  askmcconnell.com

A New Direction on Rules & Policies

I have worked with, read many, edited many, audited reams of them, written from scratch, maybe even violated a few, investigated countless, and trained on countless sets of rules in all types of organizations. The most common title for these sets of rules is “our Security Policy” — a term I promote in my security governance training — but to help all types of organizations that have struggled with these types of rules/policies, I am going back to 3rd grade and simply calling them “rules.” One of the most powerful and enforceable implementations I have done in my 30 years was one where I had a document — back then called an “Access Agreement” — where I focused employees on the accountability of “I understand and will follow…”

This collection is not meant to cover everything, but it will support any size organization (NGO to SMB to Fortune ### to Government). It is meant to simplify these rules/policies into literally one page and focus heavily on individual accountability. Yes, you will have some overlap between the documents — as some organizations only need specific documents rather than all of them.

I can’t tell you how many times I have seen rules/policies — some of which I helped write — where it was close to impossible to determine who (individually) was accountable.

They read like a company was writing to a company, and not to an individual.

These are written from the organization to the individual. Determining who is accountable comes in the form of a RACI exercise that is independent of these rules/policies. Ultimately, accountability rests at the CEO level if no one else is assigned.

← Return to the One-Pager Library

🖶 To save or print this document, use your browser’s Print function (Ctrl+P / Cmd+P) and select “Save as PDF” if needed.